Detecting the Indicators of An Attack

Diego Samuel Espitia    1 February, 2021
Detecting the Indicators of An Attack

We always choose to implement prevention and deterrence rather than containment mechanisms in security. However, the implementation of these mechanisms is not always effective or simple to set up or maintain. In the physical world we can see many examples of this, such as photovoltaic cells, trap doors or video cameras. All of these measures prevent or deter criminals from entering a property, but to do their job they require prior configuration and constant maintenance or monitoring.

Additionally, these mechanisms cannot detect by themselves whether a criminal is studying possible weaknesses that he can exploit for his criminal objective. Therefore, in order to be truly preventive, they need to be under constant monitoring and investigation of anomalies or suspicious behaviour stored in the videos or events of the installed mechanisms.

Setting Up Systems for Prevention and Deterrence

The same happens with information security systems, where all the technical resources that are set up seek to prevent or deter, for which they take as a basis for configuration the characteristics that make it possible to detect attacks that are known and that, depending on each protection mechanism, are set up within the detection and alert engines, so that the monitoring systems can be warned of the presence of a threat.

Therefore, as with physical security, these are mechanisms that, if not monitored and kept up-to-date in their detection settings, become systems that can be analysed by criminals to detect flaws that can be exploited.

Each technology has automatic or manual ways of updating detection sensors to maintain these updates. For example, traditional antivirus systems receive constant updates to detection methods, and updated systems that use Machine Learning learn to detect threats using samples of different types of malware, such as those we have in our CARMA tool for Android threats.

Indicators of Compromise (Iocs) As an Updating Mechanism

However, one of the most popular mechanisms for keeping configurations constantly updated is Indicators of Compromise (IoC), which are pieces of forensic evidence that have been collected after an incident to identify common patterns such as IP addresses, domains or hashes that have been previously used and update detection sensors to qualify any action within the network that contains one of these pieces of evidence as a threat.

One of the prevention techniques is to conduct research on alerts from monitoring systems to determine whether the actions collected can be related to previously reported incidents in the world. This method in information security is known as Threat Hunting, being the most complete and complex methodology for the detection of possible intrusions that have bypassed the established controls, using IoCs as a basis for comparison.

From Reactive to Proactive Detectors

What if the offender uses totally unknown mechanisms? What if the malware does not touch the disk and the antivirus cannot compare with its signatures? What if the IPS does not have this data frame within its alert comparisons? What happens is that nothing is alerted, the monitoring, no matter how persistent it is, will not receive any anomaly alarm and the criminal, after a rigorous analysis of our security systems, would have found the breach or the technique to hide and achieve his objective.

In many cases, this is what it has been happening in the cyber incidents that have been reported this year, so it is necessary that the information security areas begin to change the focus from reactive detectors, such as IoC, to proactive detectors, which allow them to detect threats or incidents at the same time they happen and do not depend on prior knowledge of other incidents

Indicators of Attack (IoA)

This is what has been called Indicators of Attack (IoA), which allows detection teams (Blue Team) to identify events by behavioural patterns, for example a network scan, a communication to a C&C or any behaviour that gives signals that something has bypassed the network’s defences.

Because of this particularity, it is complicated to have a common list or database of IoA’s, as they are tied to the tactics shown in Mitre’s ATT&CK matrix and to the security characteristics of each company, using context to determine when an action is or is not an indicator of attack.

For this reason, implementation is not easy and requires in-depth knowledge of the normal IT activities of all departments in an organisation, implementation of Zero Trust Network Access systems and implementation of network traffic controls in all systems that manage information, in order to have the following basic activities in place for IoA detection:

  • Analysis of all connections with a destination outside the corporate network, giving priority to destinations marked as malicious or to places where communications should not be made from the company.
  • Any attempt to traffic the network through unconventional ports or services that have been enabled within the network or during off-hours.
  • Any equipment that has multiple active connections or attempts to connect to equipment within the network that they do not have permission to connect to or do not have in their connection history.
  • Reporting of repeated events, such as malware or malicious traffic, on one or more computers by detection systems.
  • User authentication processes, involving any simultaneous connection or failed attempts.

These constant investigations initiate the generation of the IoA knowledge base and improve incident response processes. In this way the system is based not on data that has happened and can be evaded by attackers, but on activities and techniques associated with both attack tactics and the organisation’s own network characteristics.

Leave a Reply

Your email address will not be published.